Google has outlined a plan to stop third-party antivirus on Windows from injecting code into Chrome and will soon start telling its billion users to remove the offending products.
The incoming block is technically aimed at all third-party software that injects code into Chrome processes but in practice it targets non-Microsoft antivirus for Windows.
According to Chris Hamilton of Chrome’s ‘stability team’, software that injects code into Chrome on Windows results in a 15 percent higher chance the user experiences crashes. Additionally, there are other ways of getting the job done.
The block on antivirus that injects code into Chrome will be introduced in phases and Google will be applying pressure on antivirus firms to change their ways through browser warnings.
Beginning with Chrome 66, which arrives in April 2018, Chrome will display a warning after a crash and tell the user that a specific application caused it. The notification will also advise users to update or remove the “problem applications”.
Another class of software that injects code into Chrome processes is accessibility software, however these applications will be exempt from the block and warnings. So too will any Microsoft-signed code, so presumably Chrome will not advise Windows users to remove Microsoft’s Windows Defender program if it injects code into Chrome.
In Chrome 68, due out in in July 2018, the block on offending applications becomes more aggressive. Chrome will block third-party software from injecting code into Chrome processes and if this prevents Chrome from launching, it will restart and then allow the injection. It will then guide users to remove the software. By Chrome 72 in January 2019, Chrome will simply block code injection.
Hamilton notes with features like Chrome extensions and Native Messaging, applications no longer need to run code inside Chrome processes and suggests developers start using these instead.
Google and the Chrome team's conflicts with the security industry has previously centered on HTTPS web encryption, which Google has been pushing the web towards in recent years.
Google researchers contributed to a recent study that named and shamed antivirus and security products that undermined web encryption by intercepting HTTPS connections in order to inspect traffic for malware.
US CERT agreed with the study's finding, earlier this year issuing a warning that the practice of HTTPS interception weakened transport layer security.